Trustwave's SpiderLabs Security Advisory TWSL2009-002: 
Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com)

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
"Web VPN" functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file
servers.

The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
present, the ASA places a JavaScript wrapper around the
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.

Credit: David Byrne of Trustwave's SpiderLabs


Finding 1: Post-Authentication Cross-Site Scripting
CVE: CVE-2009-1201
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
"csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes
a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.

function csco_wrap_js(str)
{
   var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
           "/+CSCOL+/cte.js></scr"+
           "ipt><script id=CSCO_GHOST src="+
           CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";
   var js_mangled=CSCO_WebVPN['process']('js',str);
   ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
   return ret;
};

To exploit this behavior, a malicious page can rewrite
"CSCO_WebVPN['process']" with an attacker-defined function
that will return an arbitrary value. The next time the
"csco_wrap_js" function is called, the malicious code will
be executed. Below is a proof of concept.

<html><script>
function a(b, c)
{
   return "alert('Your VPN location:\\n\\n'+" +
   "document.location+'\\n\\n\\n\\n\\n" +
   "Your VPN cookie:\\n\\n'+document.cookie);";
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security This vulnerability is
documented in Cisco Bug ID:  CSCsy80694.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 2: HTML Rewriting Bypass
CVE: CVE-2009-1202
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
"http://www.trustwave.com" is accessed by requesting the
following ASA path:
      
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+
+/

The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning:

      <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">

However, if the request URL is modified to change the
initial hex value of "00" to "01", the HTML document is
returned without any rewriting. This allows the pages
scriptable content to run in the ASA's DOM, making
Cross-Site Scripting trivial.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80705.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 3: Authentication Credential Theft
CVE: CVE-2009-1203
When a user accesses an FTP or CIFS destination using the
Web VPN, the resulting URL is formatted in a similar manner
as the web requests described above. The following URL
attempts to connect to ftp.example.com; normally, it would
be in an HTML frame within the Web VPN website.

      
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763
2e726b6e7a6379722e70627a

The ASA first attempts to connect to the FTP server or CIFS
share using anonymous credentials. If those fail, the user
is prompted for login credentials. When viewed on its own
(outside of a frame), the submission form gives no
indication what it is for and is very similar in appearance
to the Web VPN's primary login page. If the URL was sent to
a user by an attacker, it is very possible that a user would
assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's
FTP or CIFS server.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80709.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Vendor Communication Timeline:
03/31/09 - Cisco notified of vulnerabilities
06/24/09 - Cisco software updates released; Advisory
           released

Remediation Steps: Install updated software from Cisco.


Revision History: 1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and
subscription-based information security and payment card
industry compliance management solutions to businesses and
government entities throughout the world. For organizations
faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with
comprehensive solutions that include its flagship
TrustKeeper compliance management software and other
proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500
businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their
network infrastructure, data communications and critical
information assets. Trustwave is headquartered in Chicago
with offices throughout North America, South America,
Europe, Africa, China and Australia. For more information,
visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, ethical
hacking and application security tests for Trustwave's
clients. SpiderLabs has responded to hundreds of security
incidents, performed thousands of ethical hacking exercises
and tested the security of hundreds of business applications
for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as
is" without warranty of any kind. Trustwave disclaims all
warranties, either express or implied, including the
warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business
profits or special damages, even if Trustwave or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/